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Abstract — Smart  grid  is  a  cyber-physical  system  that  integrates  power  infrastructures  with  information  technologies.  To  facilitate 
efficient  information  exchange,  wireless  networks  have  been  proposed  to  be  widely  used  in  the  smart  grid.  However,  the  jamming  attack 
that  constantly  broadcasts  radio  interference  is  a  primary  security  threat  to  prevent  the  deployment  of  wireless  networks  in  the  smart 
grid.  Hence,  spread  spectrum  systems,  which  provide  jamming  resilience  via  multiple  frequency  and  code  channels,  must  be  adapted 
to  the  smart  grid  for  secure  wireless  communications,  while  at  the  same  time  providing  latency  guarantee  for  control  messages.  An 
open  question  is  how  to  minimize  message  delay  for  timely  smart  grid  communication  under  any  potential  jamming  attack.  To  address 
this  issue,  we  provide  a  paradigm  shift  from  the  case-by-case  methodology,  which  is  widely  used  in  existing  works  to  investigate  well- 
adopted  attack  models,  to  the  worst-case  methodology,  which  offers  delay  performance  guarantee  for  smart  grid  applications  under  any 
attack.  We  first  define  a  generic  jamming  process  that  characterizes  a  wide  range  of  existing  attack  models.  Then,  we  show  that  in 
all  strategies  under  the  generic  process,  the  worst-case  message  delay  is  a  U-shaped  function  of  network  traffic  load.  This  indicates 
that,  interestingly,  increasing  a  fair  amount  of  traffic  can  in  fact  improve  the  worst-case  delay  performance.  As  a  result,  we  demonstrate 
a  lightweight  yet  promising  system,  TACT  (transmitting  adaptive  camouflage  traffic),  to  combat  jamming  attacks.  TACT  minimizes  the 
message  delay  by  generating  extra  traffic  called  camouflage  to  balance  the  network  load  at  the  optimum.  Experiments  show  that  TACT 
can  decrease  the  probability  that  a  message  is  not  delivered  on  time  in  order  of  magnitude. 
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1  Introduction 

Smart  grid  is  an  emerging  cyber-physical  system  that 
incorporates  networked  control  mechanisms  (e.g,  ad¬ 
vanced  metering  and  demand  response)  into  conven¬ 
tional  power  infrastructures  [1].  To  facilitate  information 
delivery  for  such  mechanisms,  wireless  networks  that 
provide  flexible  and  untethered  network  access  have 
been  proposed  and  designed  for  a  variety  of  smart 
grid  applications  [2]-[5],  such  as  substation  automation 
[2],  [4]  and  home  metering  [5].  As  a  result,  wireless 
networks  have  become  an  essential  integration  to  the 
communication  infrastructure  for  the  smart  grid. 

However,  the  use  of  wireless  networks  introduces  po¬ 
tential  security  vulnerabilities  due  to  the  shared  nature 
of  wireless  channels.  Indeed,  it  has  been  pointed  out 
in  [1],  [6]  that  the  jamming  attack,  which  uses  radio 
interference  to  disrupt  wireless  communications  [7]-[9], 
can  result  in  network  performance  degradation  and  even 
denial-of-service  in  power  applications,  thereby  being  a 
primary  security  threat  to  prevent  the  deployment  of 
wireless  networks  for  the  smart  grid.  How  to  defend 
against  jamming  attacks  is  of  critical  importance  to  se¬ 
cure  wireless  communications  in  the  smart  grid. 
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There  have  been  extensive  works  on  designing  spread 
spectrum  based  communication  schemes,  which  provide 
jamming  resilience  to  conventional  wireless  networks  by 
using  multiple  orthogonal  frequency  [8],  [10]  or  code 
[9],  [11]  channels.  Interesting  enough,  most  efforts  adopt 
a  case-by-case  (or  model-by-model)  methodology  to  in¬ 
vestigate  how  a  message  can  be  sent  to  its  destination. 
In  other  words,  based  on  commonly-adopted  jamming 
attack  models  (e.g.,  periodic,  memoryless,  and  reactive 
models  [12]),  existing  works  focus  on  designing  anti¬ 
jamming  communication  schemes  for  message  delivery 
in  conventional  wireless  networks 

However,  the  NIST  has  recently  imposed  a  strong 
requirement  for  smart  grid  security:  power  system  oper¬ 
ations  must  he  able  to  continue  during  any  security  attack  or 
compromise  (as  much  as  possible)  [1].  This  means  that  the 
widely-used  case-by-case  methodology  cannot  be  readily 
adapted  to  wireless  smart  grid  applications,  because  it 
is  not  able  to  guarantee  reliable  communication  under 
any  potential  jamming  attack.  To  provide  such  a  guar¬ 
antee,  securing  wireless  smart  grid  applications  requires 
a  paradigm  shift  from  the  case-by-case  methodology  to 
a  new  worst-case  methodology  that  offers  performance 
assurance  under  any  attack  scenario.  On  the  other  hand, 
it  has  been  shown  that  the  message  delay  performance 
can  be  substantially  worsen  and  even  violate  the  timing 
requirement  of  control  applications  under  inappropriate 
security  design.  For  example,  in  an  experimental  sub¬ 
station  network  [13],  if  a  RSA-based  scheme  is  used 
for  authenticating  trip  protection  messages,  40%  messages 
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cannot  be  delivered  and  verified  under  the  timing  re¬ 
quirement  of  3  ms.  This  show  that  in  addition  to  the 
necessity  of  using  the  worst-case  methodology,  security 
design  for  the  smart  grid  should  also  attempt  to  min¬ 
imize  the  message  delay  such  that  it  always  meets  the 
timing  requirement.  As  a  result,  in  this  paper,  we  aim 
at  solving  a  fundamental  yet  open  question  for  wireless 
smart  grid  applications:  how  to  minimize  the  message 
delay  under  worst-case  jamming  attacks.  The  answer  to  this 
question  can  not  only  help  us  design  network  strategies 
against  worst-case  jamming  attacks  in  wireless  smart 
grid  applications,  but  also  offer  general  guidance  into 
jamming  defense  strategies  in  cyber-physical  systems. 

In  this  paper,  we  address  this  issue  by  considering 
a  wireless  network  that  uses  multiple  frequency  and 
code  channels  to  provide  jamming  resilience  for  smart 
grid  applications.  We  consider  two  general  jamming- 
resilient  communication  modes  for  smart  grid  applica¬ 
tions:  coordinated  and  uncoordinated  modes  [8]-[10]. 
In  coordinated  mode,  the  sender  and  receiver  share  a 
common  secret  or  key  (e.g.,  code-frequency  channel  as¬ 
signment),  which  is  unknown  to  attackers.  Accordingly, 
an  attacker  has  to  choose  its  own  strategy  to  disrupt 
the  communication  between  the  transmitter  and  receiver. 
Coordinated  communication  is  a  conventional  model 
in  spread  spectrum  systems.  However,  the  transmitter 
and  receiver  may  not  share  a  common  secret  initially 
(e.g.,  a  node  joins  a  network  and  attempts  to  establish 
a  secret  with  others).  Uncoordinated  communication  is 
therefore  used  to  help  establish  such  an  initial  key.  In 
uncoordinated  communication,  the  sender  and  receiver 
randomly  choose  a  frequency-code  channel  to  transmit 
and  receive,  respectively.  A  message  can  be  delivered 
from  the  sender  to  the  receiver  only  if  they  both  reside 
at  the  same  channel,  and  at  the  same  time  the  jammer 
does  not  disrupt  the  transmission  on  the  channel. 

As  power  applications  are  time-critical  with  strict 
timing  requirements  (e.g.  Sms  and  10ms  in  substation 
trip  protection  [14]),  message  delivery  becomes  invalid 
as  long  as  its  delay  D  is  greater  than  the  delay  thresh¬ 
old  cr.  Therefore,  different  from  existing  metrics  (e.g. 
throughput  or  packet  delivery  ratio  [7])  to  evaluate 
the  jamming  impact  in  conventional  wireless  networks, 
we  use  the  message  invalidation  probability  ¥{D  >  a), 
which  directly  reflects  timing  requirements  of  power 
applications,  to  measure  the  jamming  impact  in  the 
smart  grid.  Our  goal  is  to  minimize  ¥{D>  a)  under  the 
worst-case  jamming  attack.  To  this  end,  we  first  define  a 
generic  jamming  process  that  includes  a  wide  range  of 
existing  jamming  models.  Then,  we  use  both  theoretical 
analysis  and  experimental  study  to  derive  ¥{D>  a)  and 
accordingly  design  a  solution  to  minimize  ¥{D  >  a) 
under  jamming  attacks.  We  highlight  our  major  findings 
as  follows. 

1)  We  propose  to  study  the  worst-case  performance 
under  a  generic  (rather  than  specific)  jamming  pro¬ 
cess.  We  show,  through  mathematical  derivations, 
that  the  worst-case  performance  in  terms  of  mes¬ 


sage  invalidation  probability  exhibits  a  U-shaped^ 
response  to  aggregated  network  traffic  load.  In 
order  words,  the  message  invalidation  probability 
is  a  first-decreasing,  then-increasing  function  of 
network  traffic  load. 

2)  Based  on  this  U-shape  effect,  we  propose  a  TACT 
(transmitting  adaptive  camouflage  traffic)  system 
that  uses  ''camouflage  traffic"  to  achieve  the  opti¬ 
mal  aggregated  network  traffic  load  to  minimize 
the  message  invalidation  ratio. 

The  underlying  explanation  behind  the  U-shape  phe¬ 
nomenon  and  the  TACT  anti-jamming  strategy  is  that 
using  camouflage  traffic  (i.e.,  redundant  traffic  transmit¬ 
ted  by  TACT)  is  the  over-provision  of  bandwidth  in  a 
smart  grid  network,  where  time-critical  traffic  rate  is 
smaller  than  the  network  bandwidth.  By  sending  more 
such  camouflage  traffic  (mixed  with  smart  grid  control 
traffic)  to  the  network,  we  can  force  a  jammer  to  "waste" 
enough  jamming  capability  on  the  camouflage  traffic 
(because  the  jammer  has  no  way  to  tell  the  camouflage 
traffic  from  the  real  smart  grid  traffic),  so  that  the  jammer 
cannot  find  the  real  traffic  quickly  enough.  Therefore, 
the  message  invalidation  ratio  decreases  when  we  send 
camouflage  traffic  into  the  network  under  jamming. 
However,  if  the  rate  of  sending  camouflage  traffic  keeps 
increasing  and  approaches  the  network  bandwidth,  more 
network  collisions  will  happen  in  the  network,  thereby 
degrading  the  network  performance  (i.e.,  increasing  the 
message  invalidation  ratio).  As  a  result,  there  exists  an 
optimal  rate  to  send  camouflage  traffic  and  TACT  is  used 
to  adaptively  find  this  rate. 

Because  our  strategy  is  based  on  the  worst-case 
methodology,  the  U-shape  property  and  the  global  min¬ 
imum  of  the  message  invalidation  probability  are  in¬ 
dependent  with  a  particular  jamming  strategy,  thus  of¬ 
fering  performance  guarantee  for  a  wireless  smart  grid 
application  under  jamming  attacks. 

The  rest  of  this  paper  is  organized  as  follows.  In 
Section  2,  we  introduce  preliminaries  and  models.  In 
Sections  3,  4,  and  5,  we  derive  the  theoretical  results, 
design  the  method  of  TACT,  then  implement  TACT  in 
our  experimental  smart  grid  system.  Green  Hub,  respec¬ 
tively.  Finally,  we  conclude  in  Section  6. 

2  Models  and  Problem  Formulation 

In  this  section,  we  first  introduce  backgrounds  on  wire¬ 
less  networks  for  the  smart  grid,  then  present  network 
and  jamming  models,  finally  formulate  the  problem. 

2.1  Backgrounds:  Smart  Grid  over  Wireless 

Wireless  networks  are  in  general  used  for  local-area 
smart  grid  applications,  such  as  substation  automation 
and  distributed  energy  management  [2],  [3].  The  wireless 
network  for  a  local-area  power  system  consists  of  a 

1.  Mathematically,  a  function  is  said  to  be  U-shaped  if  it  is  first- 
decreasing,  then-increasing. 
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number  of  intelligent  electronic  devices  (lEDs)  and  the 
gateway  node.  lEDs  are  devices  installed  on  infrastruc¬ 
tures  to  fulfill  power  management  procedures  by  com¬ 
municating  with  each  other.  The  gateway  is  connected  to 
the  smart  grid  backbone  network.  Local-area  messages 
can  be  forwarded  via  the  gateway  to  outside  networks. 

Due  to  the  broadcast  nature  of  wireless  channels,  wire¬ 
less  networks  for  the  smart  grid  are  inevitably  exposed 
to  jamming  attacks,  which  transmit  radio  interference  to 
prevent  legitimate  messages  from  being  received  [7]-[9]. 
It  has  already  been  pointed  out  that  jamming  attacks,  by 
disrupting  communication  between  power  equipments, 
can  possibly  result  in  grid  operation  instability  or  even 
regional  blackout  [15].  Therefore,  wireless  networks  for 
the  smart  grid  must  have  the  ability  to  combat  jamming 
attacks.  There  are  two  widely-used  spread  spectrum 
techniques  [8],  [9],  [11],  [16]  to  defend  against  jamming 
attacks  in  the  literature,  (i)  Erequency  hopping  spread 
spectrum  (EHSS):  the  sender  and  receiver  switch  a  fre¬ 
quency  channel  among  a  pool  of  candidate  channels 
from  time  to  time.  The  jammer  can  only  jam  a  transmis¬ 
sion  when  it  is  on  the  same  channel,  (ii)  Direct  sequence 
spread  spectrum  (DSSS):  the  sender  multiplies  the  orig¬ 
inal  data  with  a  pseudo-noise  (PN)  sequence  (called  a 
code  channel).  The  receiver  uses  a  correlator  with  the 
same  PN  sequence  to  recover  the  original  message.  It 
is  difficult  for  a  jammer  to  disrupt  the  communication 
unless  it  knows  the  PN  sequence  used  by  the  channel. 

Both  EHSS  and  DSSS  have  been  proposed  and  used 
for  power  applications  [3],  [15],  [17],  [18].  Eor  example, 
a  DSSS  based  system  is  demonstrated  in  [17]  for  local 
substation  automation.  Since  EHSS  and  DSSS  provide 
jamming  resilience  by  using  multiple  orthogonal  fre¬ 
quency  and  code  channels,  a  trivial  solution  for  de¬ 
creasing  the  message  delay  is  to  increase  the  number  of 
frequency  or  code  channels.  Then,  a  jammer  will  have  a 
lower  chance  to  transmit  jamming  signals  on  the  same 
channel  used  by  a  transmit-receive  pair.  However,  it  is 
quite  undesirable  in  practice  because  of  the  large  cost  of 
network  spectrum  resources.  Therefore,  we  attempt  to 
minimize  the  message  delay  in  a  wireless  network  with 
fixed  numbers  of  frequency  and  code  channels. 

2.2  Network  Model 

We  consider  a  wireless  local-area  network  A/’(m,  Nf,  Nc), 
where  m  is  the  number  of  nodes  (including  lEDs  and  the 
gateway)  in  the  network,  Nf  and  Nc  are  the  numbers 
of  frequency  and  code  channels,  respectively.  There  are 
two  major  types  of  traffic  flows  in  the  network:  1)  Local 
traffic,  which  is  generated  from  one  node  to  another  for 
local  monitoring  or  protection;  2)  Outside  traffic,  which 
is  between  a  node  and  an  outside  node  via  the  smart 
grid  backbone  network. 

Eor  a  message  going  outside,  it  will  be  delivered  first 
from  an  lED  to  the  gateway  via  the  local-area  network 
(local  delivery),  then  to  the  destination  network  via  the 
smart  grid  backbone  network.  If  there  exists  a  jammer. 


it  can  affect  the  delay  performance  of  both  local  and 
outside  traffic  types.  Eor  outside  traffic,  the  delay  com¬ 
ponent  for  the  first  local  delivery  can  dominate  in  the 
overall  end-to-end  delay,  since  the  smart  grid  backbone 
network  is  always  of  high  bandwidth.  Therefore,  we 
focus  on  the  message  delay  of  local  traffic  in  the  network. 

It  is  worth  noting  that  in  the  smart  grid,  a  large 
amount  of  network  traffic  features  a  constant  traffic 
model  for  continuous  monitoring  and  control  of  power 
equipments  [3],  [14],  [19].  In  addition,  nodes  can  have 
distinct  network  traffic  loads  for  different  applications. 
Eor  example,  merging-unit  lEDs  in  a  substation  can  send 
data  of  sampled  power  signal  quality  at  various  rates  of 
960-4800  messages/,  dependent  on  configuration  [19]. 
Thus,  we  assume  that  there  are  heterogeneous  traffic 
loads  in  network  A/’(m,  Nc)}  i.e.,  node  i  has  a  constant 
traffic  load  of  messages /s  (i  G  {1,2,- ••  ,m})  in  the 
network. 

2.3  Communication  and  Interference  Models 

2. 3. 1  Protocol  Processing 

In  the  smart  grid,  to  ensure  in-time  monitoring  and 
control  of  power  devices,  a  large  amount  of  commu¬ 
nication  messages  have  stringent  timing  requirements. 
Eor  example,  substation  applications  have  3ms-500ms 
delay  constraints  for  message  delivery  [14].  We  refer 
to  such  messages  as  time-critical  messages.  The  nature 
of  time-critical  messages  indicates  that  they  should  be 
immediately  transmitted  and  avoid  being  buffered.  Eor 
example,  time-critical  messaging  in  substation  commu¬ 
nications  [14]  features  a  simple  transmission  mechanism 
at  the  application  layer:  bypass  TCP  and  retransmit  the 
same  message  multiple  times  to  ensure  timely  delivery 
and  reliability.  Thus,  we  also  adopt  such  a  mechanism 
at  the  application  layer  of  each  node. 

When  a  message  is  passed  from  the  application  layer 
to  the  MAC  layer,  traditionally,  CSMA/CA  is  used  to 
sense  the  channel  activity  before  sending  the  message. 
However,  CSMA/CA  is  primarily  designed  for  one- 
channel  networks,  and  may  not  be  efficient  in  spread 
spectrum  systems.  In  network  M{m,Nf,Nc),  the  wire¬ 
less  channel  is  separated  into  Nf  frequency  and  Nc  code 
channels.  Such  channels  can  be  considered  orthogonal 
to  each  other  [20].  Even  if  there  are  multiple  wireless 
transmissions  over  the  same  frequency  channel,  they  will 
be  successfully  decoded  at  receivers  as  long  as  they  use 
distinct  code  channels.  CSMA/CA,  which  defers  a  trans¬ 
mission  after  sensing  activity  on  a  frequency  channel, 
may  unintentionally  degrade  the  delay  performance. 

Thus,  we  assume  that  when  the  MAC  layer  receives  a 
message  from  upper  layers,  it  will  directly  transmit  the 
message  on  a  frequency-code  channel  pair,  denoted  as 
the  (i,  j)-th  channel  shown  in  Eig.  1.  Since  the  application 
layer  will  retransmit  the  message  multiple  times,  the 
MAC  layer  will  assign  a  distinct  frequency-code  channel 
to  each  retransmission. 
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Fig.  1.  Nf  frequency  and  Nc  code  channels  available. 

To  correctly  decode  the  message,  the  receiver  must 
reside  on  the  same  frequency-code  channel  used  by  the 
sender.  However,  the  receiver  may  or  may  not  have  the 
information  of  the  sender's  channel  assignment,  which 
leads  to  distinct  communication  modes  between  the 
sender  and  receiver.  In  what  follows,  we  will  consider 
extensively-used  models  in  the  literature. 

2.3.2  Secret  Communications  and  Key  Establishment 

As  mentioned  previously,  two  communicators  may  or 
may  not  share  a  common  secret  channel  assignment  (the 
key)  with  each  other.  If  they  do  share  a  key,  receiver 
can  synchronize  with  the  sender's  frequency-code  chan¬ 
nel  switching,  which  is  called  coordinated  communication 
mode.  In  this  mode,  we  assume  that  for  a  sender-receiver 
pair,  each  channel  assignment  is  uniformly  distributed 
over  all  NfNc  selections  such  that  the  chance  of  potential 
channel  collision  among  legitimate  nodes  is  minimized. 

Coordinated  communication  happens  only  when  two 
communicators  share  a  secret  unknown  to  others.  How¬ 
ever,  they  initially  may  not  have  such  a  secret.  In  fact,  it 
is  commonly  adopted  (e.g.,  [8],  [10],  [11])  that  they  share 
no  secret  key  before  they  attempt  to  communicate.  Then, 
how  to  establish  a  key  before  they  use  it  to  communicate 
coordinatedly?  To  solve  the  question,  a  wide-adopted  so¬ 
lution  (e.g.,  [8],  [10],  [11])  is  uncoordinated  communication 
mode,  which  is  shown  as  follows. 

First,  assume  that  the  two  communicators  can  always 
verify  each  other's  authenticity  (e.g.,  their  public  keys 
are  open  to  everyone).  Every  packet  transmitted  by  the 
sender  is  digitally  signed  by  the  sender's  private  key. 
Then,  the  receiver  can  use  the  sender's  public  key  to 
verify  if  a  packet  is  indeed  sent  by  the  real  sender. 

Second,  the  sender  keeps  sending  the  key  information 
to  a  randomly  selected  frequency /code  channel.  The 
information  is  encrypted  (e.g.,  using  the  receiver's  public 
key)  such  that  it  is  only  decodable  to  the  real  receiver.  At 
the  same  time,  the  receiver  randomly  chooses  a  channel 
to  listen  on.  When  the  sender  and  receiver  reside  on  the 
same  channel,  the  key  information  can  be  successfully 
delivered,  thereby  finishing  the  key  establishment. 

After  the  key  establishment,  the  sender  and  receiver 
have  shared  a  common  secret  key,  so  they  can  use  the 
key  to  communicate.  We  can  see  that  although  unco¬ 
ordinated  communication  looks  less  efficient,  it  is  still 
essential  to  achieve  coordinated  communication.  As  a 
result,  both  uncoordinated  and  coordinated  modes  are 


vital  for  securing  jamming-resilient  communications. 

Since  channel  selection  is  random  in  the  uncoordi¬ 
nated  mode,  we  adopt  the  uniform  selection  strategy 
[21],  in  which  both  sender  and  receiver  uniformly  choose 
channels  to  transmit  and  receive,  respectively. 

2.3.3  Interference  Model 

In  coordinated  mode,  the  sender  and  receiver  have  the 
common  knowledge  of  the  secret  channel  assignment, 
and  can  synchronize  with  each  other.  The  transmission 
on  a  channel  fails  only  when  it  is  disrupted  by  jamming 
or  other  transmissions  at  the  same  channel.  Thus,  we  as¬ 
sume  that  for  coordinated  communication,  the  message 
delivery  on  the  (i,  j)-th  channel  fails  when  at  least  one 
of  the  following  two  events  holds:  1)  at  least  a  portion  p 
(0</9<  1)  of  the  transmission  is  disrupted  by  jamming 
on  the  (i,  j)-th  channel;  2)  at  least  a  portion  p  of  the 
transmission  collides  with  other  legitimate  traffic  on  the 
(i,j)-th  channel. 

For  uncoordinated  mode,  message  delivery  failure  can 
be  caused  by  not  only  jamming  or  other  transmissions 
on  the  same  channel,  but  also  the  channel  selection 
mismatch  between  the  sender  and  receiver.  Therefore, 
we  assume  that  the  message  delivery  with  duration 
Tl  on  the  (i,j)-th  channel  fails  if  at  least  one  of  the 
following  holds:  1)  at  least  a  portion  p  of  the  transmission 
is  disrupted  by  jamming  on  the  (i,  j)-th  channel;  2)  at 
least  a  portion  p  of  the  transmission  collides  with  other 
legitimate  traffic  on  the  (i,j)-th  channel;  3)  During  the 
message  transmission,  the  receiver  resides  on  the  (i,  j)-th 
channel  for  a  time  duration  smaller  than  {1  —  p)Tl. 

Note  that  the  value  of  p  varies  in  practice,  depending 
on  error  correction  coding.  For  example,  the  standard 
(255,223)  Reed-Solomon  code  is  used  in  the  transmission, 
it  is  capable  of  correcting  up  to  16  bit  errors  among  every 
223  information  bits  [9],  resulting  in  p  ^  7.1%. 

2.4  Generic  Jamming  Model 

The  objective  of  a  jammer  is  to  broadcast  interference 
to  disrupt  messages  as  many  as  possible  in  network 
As  the  network  has  multiple  channels, 
the  jammer  can  adopt  a  wide  range  of  strategies.  In  the 
literature,  there  are  two  major  jamming  types  in  terms  of 
jamming  behavior:  non-reactive  and  reactive  models  [7]- 
[11].  Non-reactive  jammers  transmit  radio  interference 
by  following  their  own  strategies.  Reactive  jammers 
transmit  interference  only  when  they  sense  any  activity 
on  a  wireless  channel.  In  addition,  a  jammer  can  either 
target  a  single  frequency-code  channel  or  have  the  ability 
to  attack  multiple  channels  at  the  same  time.  In  this 
paper,  we  assume  that  the  jammer  has  the  knowledge 
of  the  pool  of  candidate  channels  used  in  the  network, 
and  attempt  to  choose  the  best  strategy  to  attack  one  or 
some  of  the  channels  and  lead  the  worst-case  attack.  In 
order  to  adopt  varying  strategies  the  jammer  can  use, 
we  define  a  generic  process  to  accommodate  various 
jamming  behaviors  and  models  in  the  literature. 


5 


Definition  1  (Generic  Jamming  Process):  A  jamming  at¬ 
tack  can  be  represented  as  a  Markov-renewal  process 

where  Xk  is  the  renewal  interval  representing  the  jam¬ 
ming  duration  at  the  k-th  state,  denoted  by  (Xk^Ck)  = 
{{Fk^i,Ck,i)}ie[i,s]f  the  set  of  frequency  and  code  chan¬ 
nels  targeted  by  the  jammer,  {Fk^i,Ck,i)  is  a  particu¬ 
lar  frequency  and  code  channel,  and  s  is  the  num¬ 
ber  of  channels  the  jammer  can  attack  simultaneously. 
The  embedded  transition  matrices  associated  with  states 
(FkXk)  are  denoted  as  Q/  and  Qc,  respectively.  When 
the  jamming  is  non-reactive,  ((F,C),X)  is  assumed  to 
be  a  continuous  Markov  process.  When  the  jamming  is 
reactive,  Xk  =  r + S'/cl where  r  is  the  constant  channel 
sensing  time,  Sk  is  the  duration  of  the  jamming  signal,  A 
denotes  the  event  that  at  least  one  channel  in  set  (Fk^Ck) 
is  sensed  busy. 

(®  ^  (2>-® 

(a)  Constant  jam-  (b)  Sweeping  (c)  Uniformly 
ming  jamming  distributed 

jamming 

Fig.  2.  Jamming  strategies  due  to  state  transitions. 

Remark  1:  The  generic  jamming  process  can  character¬ 
ize  both  non-reactive  and  reactive  jamming  behaviors. 
In  addition,  it  also  models  jammers  that  can  attack  s  >  1 
frequency-code  channels  at  the  same  time.  Thus,  the 
generic  model  defined  in  Definition  1  can  represent  a 
wide  range  of  existing  jamming  models  and  strategies 
in  the  literature.  For  example,  consider  a  simple  network 
with  4  frequency  channels  in  the  presence  of  a  jammer 
that  can  attack  only  one  frequency  channel  at  the  same 
time.  If  the  jammer's  transition  matrix  Q/  is  the  4x4 
identity  matrix  with  state  transitions  shown  in  Fig.  2(a), 
every  state  is  an  absorbing  state  and  the  process  rep¬ 
resents  continuous  jamming  on  a  particular  channel  [7]. 
Similarly,  Figs.  2(b)  and  2(c)  represent  sweeping  jamming 
[22]  and  uniformly-distributed  jamming,  respectively. 

As  we  can  see  in  the  Markov-renewal  model,  {Xk} 
and  {{Fk,Ck)}  can  directly  reflect  when  a  certain  set  of 
channels  is  affected  by  the  jamming  attack,  and  matrices 
Q f  and  Qc  can  model  what  the  jamming  strategy  is. 

2.5  Problem  Formulation 

The  primary  goal  of  smart  grid  communication  is  to 
achieve  timely  monitoring  and  control  for  power  control 
applications.  Therefore,  the  delay  performance  is  of  criti¬ 
cal  importance  in  the  smart  grid.  A  time-critical  message 
becomes  invalid  as  long  as  its  message  delay  D  is  greater 

2.  1 A  denotes  the  indicator  function,  which  has  the  value  1  for  A 
and  the  value  0  for  A^. 


than  its  delay  constraint  cr.  As  a  result,  we  focus  on 
how  to  minimize  the  message  invalidation  probability 
¥{D  >  a)  in  network  M{m,Nf,Nc)  under  the  generic 
jamming  process  {{F,C),X). 

It  is  worth  noting  that  there  are  two  opposites  in 
the  network:  the  network  operator  always  attempts  to 
minimize  the  message  delay;  in  contrast,  the  jammer  al¬ 
ways  intends  to  maximize  the  message  delay.  The  lowest 
bound  of  the  message  delay  is  always  achieved  when 
there  exists  no  jammer  or  a  naive  jammer.  As  the  NIST 
requires  smart  grid  operations  must  continue  under  any 
potential  attack,  we  adopt  a  worst-case  methodology  to 
study  the  problem  of  minimizing  message  delay  in  the 
smart  grid  under  jamming  attacks. 

1)  In  wireless  local-area  network  f^Nc),  for 

a  time-critical  application  with  delay  threshold  a, 
what  is  the  worst-case  delay  performance  ¥{D>  a) 
under  the  generic  jamming  process  ((J*,  C),X). 

2)  Given  the  worst-case  scenario  in  Step  1,  how  to 
minimize  ¥{D> a). 

There  has  been  existing  work  addressing  denial-of- 
service  attacks  on  multimedia  traffic  (e.g.,  [23],  [24]). 
We  note  that  the  differences  between  smart  grid  traffic 
and  multimedia  traffic  are:  1)  smart  grid  traffic  is  more 
time-critical  (e.g,  3  ms  requirement  in  GOOSE  compared 
with  around  100  ms  requirement  for  multimedia),  2) 
time-critical  traffic  is  periodical,  unsaturated  (i.e.,  the 
traffic  load  smaller  than  the  network  bandwidth)  in  the 
smart  grid,  and  multimedia  traffic  is  usually  saturated 
and  requires  adequate  congestion  control.  As  a  result, 
the  smart  grid  traffic  features  a  simpler  retransmission 
mechanism  without  congestion  control.  In  addition,  we 
will  show  that  we  can  take  advantage  of  the  unsaturated 
nature  of  smart  grid  traffic  to  design  countermeasures. 

Next,  we  use  theoretical  analysis  to  show  the  worst- 
case  delay  performance  under  jamming  attacks. 

3  Theoretical  Analysis 

In  this  section,  we  theoretically  analyze  the  worst-case 
delay  performance  for  wireless  smart  grid  applications 
under  the  generic  jamming  model.  We  first  consider 
the  worst  case  in  coordinated  communication,  then  the 
worst  case  in  uncoordinated  communication.  Finally,  we 
propose  a  method  to  minimize  the  worst-case  delay  for 
both  coordinated  and  uncoordinated  modes. 

3.1  Jamming  against  Coordinated  Mode 

Our  goal  is  to  find  the  jamming  attack  that  maximizes 
¥{D  >  a)  such  that  we  can  identify  the  worst-case 
attack  targeting  wireless  smart  grid  applications.  As  our 
generic  jamming  process  characterizes  both  non-reactive 
and  reactive  jammers,  we  provide  analytical  results  of 
their  impacts  on  P(D>cr),  respectively. 

Lemma  1  (Non-Reactive  Jamming):  In  wireless  local- 
area  network  M{m,Nf,Nc)  in  the  presence  of  a 
non-reactive  jamming  process  {(7^,  C),A}  with  ability 
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to  attack  s  channels  simultaneously,  the  message  delay 
Dk  of  a  time-critical  application  at  node  k  satisfies 


P(L)fe>o')<  1- 


1 

NfNc 


^TL{l-p)-fk/ 

)  (' 


(1 

pNfN,  ) 


ctITl 


(1) 

where  Tl  is  the  message  transmission  duration,  a  is  the 
message  delay  threshold, 
traffic  rate  at  node  j. 

Proof:  Without  loss  of  generality,  assume  that  node  1 
transmits  a  message  with  delay  threshold  a  and  duration 
Tl.  The  application  layer  can  transmit  the  message  at 
most  [ct/TlJ  times  (for  the  sake  of  simplicity,  we  in  the 
following  assume  that  ct/Tl  is  an  integer,  i.e.,  [cr/T^J  = 
CF ITl,  which  does  not  affect  the  derivation  of  our  main 
results).  Among  all  cr/T^  transmission  attempts,  the  i-th 
one  uses  the  {ui,Vi)-i]\  channel  (1  <  i  <  ct/Tl). 

The  message  invalidation  probability  ¥{Di  >  a)  is 
equal  to  the  probability  that  all  ct/Tl  transmission  at¬ 
tempts  are  disrupted  by  either  collision  or  jamming,  i.e.. 


P(Di  >a)=F  (Ji  U  Cf  ,  (2) 


where  Ci  and  Ji  denote  the  events  that  the  i-th  transmis¬ 
sion  is  disrupted  by  collision  and  jamming,  respectively. 

First,  we  derive  the  collision  probability  P(Ci).  Sup¬ 
pose  that  node  I's  i-th  transmission  starts  at  time  0,  a 
collision  that  can  successfully  disrupt  node  I's  trans¬ 
mission  will  happen  if  another  node  makes  a  transmis¬ 
sion  attempt  during  period  [(p— 1)Tl,  (1  — /))Tl]  and  at 
the  same  time  uses  the  same  channel.  Since  all  nodes 
have  constant  traffic  rates,  there  are  2(1  —  p)Tl 
transmissions  at  other  nodes  that  can  possibly  disrupt 
node  I's  transmission.  As  the  frequency-code  channel  for 
each  transmission  in  the  network  is  uniformly  assigned 
among  all  NfNc  selections,  the  collision  probability  is 
equal  to  the  probability  that  there  is  at  least  one  other 
transmission  colliding  with  node  I's  i-th  transmission, 
which  can  be  written  as 


P(Ci)  =  1  -  (1  -  ,  (3) 

where  71  =  Y:T=2  Tj- 

Then,  we  compute  the  jamming  probability  P(  J^).  The 
jamming  process  {( J*,  C),  X}  has  renewal  intervals  {Xi}. 
Let  Ni  represent  how  many  times  the  jammer  makes  a 
state  transition,  and  we  have  Ni  =  Xi  < 

(1  -  p)Tl},  N  =  {0, 1,2,  •  •  •},  where  Xi,  •  •  •  ,Xn,  are 
jamming  intervals  during  the  i-th  transmission.  In  order 
to  disrupt  the  i-th  transmission  (i.e.,  Ji  holds),  the  sum  of 
jamming  intervals  on  the  (i,  j)-th  channel  must  be  larger 
than  the  threshold  pTl.  Letting  Bi  be  the  event  that  the 
/-th  interval  with  length  Xi  hits  the  {ui^Vif th  channel 
(i.e.,  Bi  =  {ui  e  Fi,  Vi  e  Cl}),  we  obtain 

/  Ni  \  Ni 

¥{Ji\ui,Vi)  =  P(  '^XiIbi  >pTl  J  <E(^Xi1bi)/{pTl) 

\i=i  J  1=1 

=  E{Ni)E{Xi)¥{Bi)/{pTL),  (4) 


where  the  last  equality  and  inequality  follows  from 
Wald's  equation  and  Markov's  inequality  respectively. 


E{Ni)  =  (1  -  p)Tl/E{Xi)  and  E{Bi)  denotes  the  proba¬ 
bility  that  the  jamming  hits  the  {ui^Vi)-th  channel.  Since 
(ui.Vi)  is  uniformly  assigned,  it  follows  from  (4)  that 

Nf  Nc 

E{Ji)  <  EE  E{N,)E{Xi)E{Bi)/{pTL)/{NfN,) 


< 


p=l  q=l 

(1  -  p)Tl 


EiXi)- 


1 


(1  -  p)s 


(5) 


E(X;)  NfN^pTL  pNfN, 

Finally,  combining  (2),  (3)  and  (5)  finishes  the  proof.  □ 
Next,  we  present  our  results  on  reactive  jamming. 
Lemma  2  (Reactive  Jamming):  In  wireless  local-area  net¬ 
work  Nf,  Nc)  in  the  presence  of  a  reactive  jammer 
{(X,  C),X}  that  has  sensing  time  r  and  can  attack  s 
channels  simultaneously,  for  a  time-critical  application 
at  node  k,  its  message  delivery  delay  Dk  satisfies 

,  x2T,(l-p)7fc/  „ 


PiDk>a)  <1-1- 


NfN, 


1- 


sL 


(6) 

where  Tl  is  the  message  transmission  duration,  a  is  the 
message  delay  threshold,  ^k  = 
traffic  rate  at  node  j. 

Proof:  Similar  to  the  proof  for  Lemma  1,  assume  that 
node  1  transmits  a  message  with  delay  threshold  a.  The 
transmission  resides  at  the  {ui,Vi)-th  channel  for  the  i-th 
attempt.  To  find  E{Di  >  a),  we  first  need  to  compute  both 
collision  and  jamming  probabilities,  E{Ci)  and  P( X).  As 
E{Ci)  is  given  in  (3),  we  in  the  following  compute  P( X). 

For  the  sake  of  simplicity,  assume  that  the  i-th  trans¬ 
mission  starts  at  time  0.  Define  a  renewal  process 
Ni{t)  =  Xi  <  t},  N  =  {0, 1, 2,  ■  •  ■  Then 

Xi,X2,'''  are  renewal  intervals  during  period 

[0,  t].  Different  from  non-reactive  jamming,  reactive  jam¬ 
ming  has  renewal  intervals  Xi  =  r  T  SiIa^  where  A  de¬ 
notes  the  event  that  a  channel  is  sensed  with  activity,  and 
Si  is  the  jamming  duration.  To  maximize  its  damage  to 
the  network,  the  reactive  jammer  should  always  set  the 
jamming  duration  Si  to  be  pTl.  This  means  that  when 
the  jammer  senses  a  transmission,  it  always  chooses 
the  minimum  effective  jamming  duration  to  disrupt  the 
transmission  such  that  it  can  immediately  move  on  to 
sense  and  jam  other  channels.  Thus,  we  choose  Si  =  pTl. 

In  order  to  successfully  disrupt  the  i-th  transmission 
(e.g.,  Ji  holds),  the  reactive  jammer  must  switch  to  the 
{ui,Vi)-th  channel  at  least  once  during  [0,  (1  —  p)Tl  —  r]. 
Let  event  Bi  =  {ui  eFiVi  G  CJ.  Then,  E{Ji\ui,Vi)  = 
^  1b^  Using  similar  procedures  in 

(4)  and  (5),  we  have 


nJi)  <  E(X,((1  -  p)Tl  -  r)s/{NfNc).  (7) 

To  obtain  E(Xi((l  -  p)Tl  -  r),  we  first  have  from  the 
elementary  renewal  theorem 

\imE{Ni{t))/t  =  l/E{Xi),  (8) 

t^oo 

where  E(X/)  =  r  T  pTlE{A),  P(A)  is  the  probability 
that  a  channel  is  sensed  busy  and  P(A)  =  1  —  (1  — 
l/(X/Xc))^h>)Tz.7i.  Then,  it  is  reasonable  to  assume  that 
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sensing  time  r  Tl  and  renewal  interval  E(X/)  <C  Tl 
since  power  networks  always  have  unsaturated  traffic 
loads  [3],  [14]  for  timely  monitoring  and  control.  Thus, 
from  (8),  —  p)TL  —  r)  can  be  approximated  as 

(1  -  p)Tl  -  r  _  (1  -  p)Tl 


nNi{{i-p)n-T))  ^ 
(1  -  p)Tl 


E{Xi) 


pTl—pTl  ^1  — 


NfNj 


r  + 


P0^2£}lhl' 

NfNe 


(9) 


The  last  approximation  follows  from  the  fact  that  (1  — 
x)^  ^  1  — ax  for  small  x.  From  (7)  and  (9),  we  obtain 

(1  -  p)sTl 


¥{Ji)  < 


(10) 


rNfNc  +  p{l  -  p)Tl-fi  ‘ 

Combining  (2),  (3)  and  (10)  completes  the  proof.  □ 
Based  on  Lemmas  1  and  2,  we  then  show  that  reactive 
jamming  in  general  leads  to  the  worst-case  delay  perfor¬ 
mance,  thereby  maximizing  the  damage  to  the  network. 

Theorem  1  (Worst-Case  Delay  in  Coordinated  Mode): 

For  wireless  local-area  network  J\f(m^N f^Nc)  under 
coordinated  communication,  the  worst-case  delay 
performance  at  node  k  is  induced  by  reactive  jamming 
with  sensing  time  r  sufficiently  small.  Specifically,  the 
message  delay  Dk  satisfies 


nDk>cT)  <1-1- 


2T^(l-p)7fc/ 


NfK 


sT, 


(11) 


where  Tl  is  the  message  transmission  duration,  a  is  the 
message  delay  threshold,  jk  = 
traffic  rate  at  node  j. 

Proof:  Comparing  (1)  with  (6),  it  suffices  to  show 

(1  -  p)sTl 


> 


TNfN,+p{l-p)Tljk  -  pNfN,' 
which  is  equivalent  to 

T  <pTl-  p{l  -  p)Tl'ikl {NfNc) 


(12) 


(13) 


In  order  for  (13)  to  hold  for  r  sufficiently  small,  it 
suffices  to  show  that  the  right-hand  side  of  (13)  is  larger 
than  0,  i.e.,  pTl  —  p(l  —  p)Tl^k/{W'fNc)  >  0.  Let  7  be 
the  overall  message  rate  in  the  network  and  B  be  the 
maximum  bit  rate  supported  by  each  sub-channel.  Then, 
a  single  message  includes  TlB  bits,  and  the  overall 
network  traffic  rate  (in  terms  of  bits/s)  can  be  writ¬ 
ten  as  f  =  TlB^,  which  is  smaller  than  the  overall 
channel  bandwidth  NfNcB.  In  other  words,  we  have 
f  =  TlB^  <  NfNcB,  i.e.,  Tl7  <  NfNc.  Since  it  always 
holds  that  jk  <  7/  we  have  Tl7/c  <  NfNc  and 

pTL-{p{l-p)Tljk)/{NfN,)>pTL-p{l-p)TL>  0,  (14) 


which  finishes  the  proof.  □ 

Remark  2:  Theorem  1  shows  that  reactive  jamming 
with  sensing  time  r  sufficiently  small  will  induce  the 
worst-case  performance.  Theoretically,  we  can  always 
assume  that  r  is  arbitrarily  small  and  consider  reactive 
jamming  as  the  worst  case.  Will  reactive  jamming  do  so 
in  practice?  The  essence  of  the  question  is  how  small  r 
can  be  for  a  practical  jammer.  Taking  a  closer  look  at  (13), 


Aggregate  Traffic  [Kilo-Messages  per  Second] 

Fig.  3.  Coordinated  communication:  worst-case  delay 
performance  F(Dk  >  a)  versus  aggregate  traffic  7/c  at 
node  k  for  time-critical  applications  with  delay  thresholds 
of  3-9ms.  {Nf=Nc=^  0,  Tl=1  ms,  p=0.1 ,  and  r=1  ps.) 


we  find  that  the  right-hand  side  can  be  approximated 
as  pTl  when  the  pool  of  channel  selections  is  large 
(i.e.,  NfNc  is  large),  which  is  true  for  an  effective  anti¬ 
jamming  system.  This  indicates  that  reactive  jamming 
is  more  harmful  than  non-reactive  jamming  when  r  is 
smaller  than  the  minimum  jamming  duration  pTl.  It 
has  been  shown  that  r  can  be  designed  very  small, 
depending  on  implementation;  while  pTl  should  be 
kept  relatively  large  to  effectively  disrupt  a  transmission. 
For  example,  a  software-defined  radio  based  jammer 
[25]  needs  20/iS  to  sense  an  802.15.4  transmission  and 
send  jamming  signals  for  at  least  26 ps  to  disrupt  the 
transmission.  Such  a  sensing  time  can  be  further  shorten 
with  a  hardware  implementation  instead  of  a  software 
implementation,  which  demonstrates  that  r  is  indeed 
smaller  than  pTl  in  practice.  Therefore,  it  is  reasonable 
to  consider  reactive  jamming  as  the  worst  case  both 
theoretically  and  practically. 

Fig.  3  shows  an  example  of  the  worst-case  message 
invalidation  probabilities  induced  by  both  non-reactive 
(1)  and  reactive  jamming  (6)  for  time-critical  applications 
at  node  k.  We  can  see  that  reactive  jamming  always  leads 
to  worse  delay  performance  than  non-reactive  jamming, 
and  that  the  delay  performance  at  node  k  also  depends 
on  the  aggregate  traffic  load  7/^.  An  interesting  obser¬ 
vation  from  Fig.  3  is  that  in  the  reactive-jamming  case, 
the  message  invalidation  probability  is  not  minimized 
at  7^=0.  Instead,  it  is  minimized  at  a  fairly  large  value 
7^  ^  38  kilo-messages/s. 

Fig.  3  illustrates  that,  interestingly,  the  worst-case  de¬ 
lay  (caused  by  reactive  jamming)  is  in  fact  a  U-shaped 
(first-decreasing  then-increasing)  function  of  traffic  load 
7/c.  This  is  due  to  the  sensing  and  reacting  nature  of 
reactive  jamming.  Consider  a  simple  example:  Fig.  4(a) 
shows  two  transmissions  of  a  message  by  node  1  with 
two-channel  frequency-hopping.  If  there  is  no  other  traf¬ 
fic,  by  scanning  the  two  channels  alternately,  a  reactive 
jammer  can  always  sense  and  jam  both  transmissions. 


sensing 

□  □  □  □ 


1®' jammed  2"'^  jammed 

(a) 


1  jammed  2"'’  delivered 


(b) 


Fig.  4.  Message  delivery  under  reactive  jamming. 


If  node  2  is  also  transmitting  as  shown  in  Fig.  4(b),  the 
jammer  can  also  sense  and  attempt  to  disrupt  node  2's 
transmission.  Then,  there  is  a  chance  that  node  I's 
message  can  be  delivered  during  the  time  that  the 
jammer  is  jamming  node  2's  transmission.  Thus,  fairly 
increasing  network  traffic  load  can  in  fact  improve  the 
delay  performance  under  reactive  jamming.  On  the  other 
hand,  the  over-increase  of  traffic  will  surely  decrease  the 
performance  since  transmissions  have  a  high  probability 
to  collide  with  each  other.  Hence,  there  should  be  an 
optimal  traffic  load  such  that  the  worst-case  message 
delay  can  be  minimized. 

In  the  following,  we  show  theoretically  that  there  ex¬ 
ists  a  traffic  load  7^  to  minimize  the  worst-case  message 
invalidation  probability  for  node  k  in  the  network. 

Theorem  2  (Optimal  Load  in  Coordinated  Mode):  In 
wireless  network  M(m^N f^Nc),  node  k's  worse-case 
message  invalidation  probability  (11)  in  coordinated 
communication  is  minimized  at 

*  _  1  /  C1C2  -  y/cfcl  -  4ciC2pT^ 

“  p{l-p)Tl  (  2ci 

where  ci  =  21n(l  —  l/{NfNc))  and  C2  =  (1  —  p)Tl. 

Proof:  It  is  equivalent  to  show  that  7^  maximizes  the 
following  function. 

1  ^-p)T^ 

JpNj  V  T^/iVe+p(l-p)2^2^fe 

(15) 

Letting  V^*/(7^)  =  0  results  in  a  quadratic  equation 


Ciw‘^  -  C1C2W  -h  C2pTl  =  0,  (16) 

where  ci  =  21n(l  —  1/ {N fNc)),  C2  =  (1  —  p)Tl,  and 

w  =  TNfN,+p{l-p)Thl.  (17) 

Solving  equation  (16)  for  w  yields 

w  =  (ciC2  -  \Jclcl  -  4ciC2pTl)/(2ci).  (18) 
Combining  (17)  with  (18)  completes  the  proof.  □ 


Remark  3:  Theorem  2  shows  that  there  indeed  exists 
a  unique  traffic  load  7^  for  node  k  to  minimize  its 
worst-case  delay,  and  that  7^  is  independent  of  the  delay 
threshold  a,  which  can  be  also  observed  in  Fig.  3.  Thus, 
the  delay  of  messages  with  different  delay  thresholds 
can  be  all  minimized  at  the  same  optimal  traffic  load. 

3.2  Jamming  against  Uncoordinated  Mode 

So  far,  we  have  derived  the  theoretical  results  of  the 
worst-case  jamming  impact  on  coordinated  communica¬ 
tion,  which  is  used  for  lED  communication  in  normal 


/(7fe)=^l- 


rNfN,  , 


operations  in  the  smart  grid.  We  show  that,  interestingly, 
there  indeed  exists  a  unique  traffic  load  for  a  node 
to  minimize  its  worst-case  delay.  In  the  following,  we 
present  the  theoretical  results  on  uncoordinated  com¬ 
munication,  which  can  be  used  for  key  establishment 
between  lEDs.  Similar  to  Section  3.1,  our  goal  is  to 
find  out  the  worst  case  performance,  ¥{D  >  a),  for 
uncoordinated  communication  under  both  non-reactive 
and  reactive  jamming  attacks. 

Theorem  3  (Worst  Case  Delay  in  Uncoordinated  Mode): 
For  wireless  local-area  network  M{m,Nf,Nc)  under 
uncoordinated  communication,  the  worst-case  delay 
performance  at  node  k  is  induced  by  the  reactive 
jamming  with  sensing  time  r  sufficiently  small. 
Specifically,  the  message  delay  Dk  satisfies 

'T 

+pT!lk))  ’ 
(19) 

where  Tl  is  the  message  transmission  duration,  a  is  the 
message  delay  threshold,  jk  = 
traffic  rate  at  node  j. 

Proof:  Without  loss  if  generality,  assume  that  node  1  at¬ 
tempts  to  transmit  a  message  with  duration  Tl  to  node  2 
using  the  uncoordinated  mode,  in  which  nodes  1  and  2 
uniformly  choose  a  frequency-code  channel  to  transmit 
and  receive,  respectively.  They  switch  channels  from 
time  to  time.  For  the  sake  of  simplicity,  the  time  is 
partitioned  into  time  slots  with  length  Tl.  The  sender 
and  receiver  switch  their  channels  at  the  beginning  of 
each  time  slot.  Assume  that  for  the  i-th  delivery  attempt 
(1  <  i  <  gITl),  nodes  1  and  2  reside  at  the  {ui,Vi)-i]\ 
channel  and  the  (di,ei)-th  channel,  respectively. 

The  message  invalidation  probability  is  written  as 

P(Di  >  a)  =  P  (Ci  UJiU  Mi))  ,  (20) 

where  Ci  and  Ji  denote  the  events  that  the  i-th  transmis¬ 
sion  is  disrupted  by  collision  and  jamming,  respectively; 
and  Mi  denotes  the  event  that  there  is  a  channel  mis¬ 
match  between  the  sender  and  receiver,  i.e..  Mi  =  {ui  7^ 

di}  U  \yi  Ci\ . 

To  find  ¥{Di  >  a),  we  need  to  compute  the  collision 
probability  P{Ci),  jamming  probability  P{Ji),  and  the 
mismatch  probability  P{Mi),  respectively.  Since  we  have 
already  obtained  P{Ci)  in  (3),  as  well  as  P{Ji)  in  (5)  and 
(10)  under  non-reactive  and  reactive  jamming  attacks,  we 
in  the  following  derive  P{Mi),  which  is  the  probability 
that  node  1  does  not  reside  at  the  same  channel  as 
node  2,  i.e.,  either  Ui  7^  di  or  Vi  Ci.  We  have 

P(M,)  =P(K  7^  d,}  U  7^  e,})  =  1-1/ {NfN,).  (21) 

With  (20),  (21),  (3),  (5)  and  (10),  using  similar  proce¬ 
dures  in  Theorem  1,  we  get  ¥{D  >  a)  satisfies  (19).  □ 

Fig.  5  shows  an  example  of  the  worst-case  message 
invalidation  probabilities  for  a  time-critical  application 
in  both  coordinated  and  uncoordinated  modes.  It  is 
observed  that  similar  to  coordinated  communication, 
the  worst-case  message  invalidation  probability  in  un- 
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Fig.  5.  Uncoordinated  communication:  worst-case 
¥{Dk  >  cr)  versus  jk  with  delay  thresholds  of  10ms  and 
30ms.  (Nf=^  0,  Nc=2,  Tl=^  ms,  p=0.1 ,  and  r=1  /iS.) 


coordinated  communication  exhibits  U-shaped  curves  in 
Fig.  5,  indicating  that  the  delay  performance  in  uncoor¬ 
dinated  communication  also  depends  on  the  aggregate 
traffic  load  7/c,  and  can  be  minimized  by  optimizing 
7/c.  However,  the  delay  performance  in  uncoordinated 
communication  is  substantially  worse  than  that  in  coor¬ 
dinated  communication.  This  is  due  to  the  opportunistic 
nature  of  uncoordinated  communication:  the  sender  and 
receiver  have  to  randomly  select  channels  to  transmit 
and  receive,  respectively.  Fig.  5  implies  that  in  general, 
uncoordinated  communication  should  not  be  used  for 
time-critical  message  delivery. 

Another  observation  in  Fig.  5  is  that  the  message 
invalidation  probability  is  always  minimized  at  the  same 
traffic  load  regardless  of  communication  modes.  For  ex¬ 
ample,  we  can  see  that  the  probabilities  for  all  four  cases 
in  Fig.  5  are  all  minimized  at  7/c~19  kilo-messages /s. 
This  shows  that  if  we  have  the  same  setups  in  a  wireless 
network,  there  exists  one  optimal  traffic  load  for  a  node 
to  minimize  its  message  invalidation  probability  in  both 
coordinated  and  uncoordinated  communications,  which 
is  formally  proved  in  the  following. 

Theorem  4  (Optimal  Load  in  Uncoordinated  Mode):  In  a 
network  with  setups  stated  in  Theorem  2,  the  optimal 
load  7^  in  coordinated  mode  also  minimizes  the  message 
invalidation  probability  in  uncoordinated  mode. 

Proof:  For  uncoordinated  communication,  in  order  to 
minimize  (19)  (as  a  function  of  7/c),  it  is  equivalent  to 
find  the  value  of  7/c  to  maximize  function 

V  rNfNcTp{l-p)Tf^-ik ) 

=  (22) 

where  /(7/c)  is  given  in  (15),  which  is  the  objective 
function  in  the  coordinated  mode.  Hence,  finding  7^  that 
maximizes  gijk)  is  equivalent  to  finding  7^  that  maxi¬ 
mizes  fi'jk)-  Therefore,  7^  also  minimizes  the  message 
invalidation  probabilities  in  uncoordinated  mode.  □ 
Remark  4:  Despite  the  evident  performance  difference 
between  coordinated  and  uncoordinated  communica¬ 
tions,  Theorem.  4  illustrates  that  their  delay  performance 


can  be  optimized  at  the  same  time  by  choosing  one 
optimum  traffic  load  in  the  network.  In  the  smart  grid,  a 
node's  traffic  load  is  usually  static  and  quite  unsaturated 
for  real-time  power  management.  For  example,  wireless 
monitoring  for  substation  transformers  only  needs  to 
transmit  a  message  every  second  [2].  This  indicates  that 
in  general,  we  should  intentionally  increase  a  certain 
amount  of  redundant  traffic  to  obtain  the  optimal  traffic 
load.  Then,  legitimate  messages  can  have  a  chance  to  be 
successfully  delivered  during  the  period  that  jamming 
attacks  attempt  to  disrupt  redundant  traffic.  We  name 
such  traffic  as  camouflage  traffic  since  it  serves  as  camou¬ 
flage  to  "hide"  legitimate  traffic  from  attacks. 

4  TACT  System 

We  have  shown  that  for  both  coordinated  and  unco¬ 
ordinated  communications  in  wireless  smart  grid  ap¬ 
plications,  the  delay  performance  is  sensitive  to  the 
network  traffic  load  under  jamming  attacks.  As  a  result, 
generating  camouflage  traffic  is  promising  to  improve 
the  worst-case  delay  performance.  In  this  section,  we 
present  our  adaptive  method  that  generates  camouflage 
traffic  to  minimize  the  message  delivery  delay  in  wire¬ 
less  networks  for  smart  grid  applications. 

4.1  Motivation  and  Method  Design 

Our  objective  is  to  design  a  feasible  method  to  minimize 
the  worst  case  delay  performance  for  practical  wireless 
smart  grid  applications  under  jamming  attacks.  We  first 
describe  the  general  idea  of  our  method,  which  can  be 
used  for  both  coordinated  and  uncoordinated  commu¬ 
nication  modes.  Notice  that  Theorem  2  shows  that  the 
optimal  load  7^  is  a  function  of  message  transmission 
time  Tl,  which  depends  on  message  length  L.  If  all 
nodes'  messages  have  the  same  length,  the  optimal  load 
for  every  node  will  be  the  same,  i.e.,  7i=72=' •  *  =7m- 
However,  in  the  smart  grid,  a  node  has  different  message 
types  with  distinct  lengths.  For  example,  monitoring  and 
control  messages  in  substations  can  have  lengths  of  98 
and  16  bytes  [19],  respectively.  Thus,  it  is  impossible 
to  use  one  optimal  load  to  minimize  the  delay  for 
all  message  types.  A  reasonable  choice  is  to  generate 
camouflage  traffic  at  the  optimal  point  to  minimize  the 
delay  for  the  most  time-critical  messages,  since  such 
messages  are  of  the  most  importance  and  generally 
used  for  protection  procedures  [14],  [19].  Therefore,  to 
obtain  the  optimal  traffic  load  7^,  Tl  is  chosen  to  be 
the  transmission  time  of  the  most  time-critical  messages. 
Then,  we  have  7^=7!=*  •  •  =7^. 

It  is  also  worthy  of  mention  that  the  optimal  traffic 
load  7^  is  a  function  of  the  jammer's  sensing  time  r.  As  r 
varies  in  practice,  it  is  difficult  to  pre-configure  network 
setups  to  generate  camouflage  traffic  at  the  optimal  load. 
An  appropriate  strategy  is  to  adaptively  generate  traffic 
at  each  node  into  the  network  such  that  the  overall 
network  traffic  load  can  be  balanced  around  the  opti¬ 
mum.  Thus,  we  design  the  TACT  method  (transmitting 
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Algorithm  1  :  TACT  at  Each  Node. 

Given:  T/,Z/niin/Tmax/^inc/^dec-  Init:  Afprev  —  0/-^  — -^min 

repeat 

Transmit  probing  messages  in  observation  period. 
Measure  the  number  of  ACKs,  Mnow 
if  Performance  not  degraded  (Mnow  >  Mprev)  then 
Increase  the  traffic  load:  L  ^  min(L  +  Ainc,  Tmax)- 

else 

Decrease  the  traffic  load:  L  ^  max(I/— Adec,  ^min)- 

end  if 

Record  history:  Mprev  ^  Mnow- 
until  TACT  is  disabled. 


adaptive  camouflage  traffic).  The  intuition  behind  TACT 
is  two-fold.  1)  TACT  should  avoid  node  coordination. 
Admittedly,  node  coordination  can  further  help  improve 
the  delay  performance.  However,  it  introduces  an  addi¬ 
tional  security  issue  of  coordination  message  delivery 
under  jamming.  Thus,  TACT  should  be  of  distributed 
nature,  inducing  the  minimum  complexity  and  node 
coordination.  2)  Since  the  worst-case  message  delay  is 
minimized  at  a  positive  traffic  load,  TACT  should  always 
attempt  to  increase  the  traffic  load.  If  the  performance  is 
degraded  after  the  increase,  it  can  reduce  the  load. 

Accordingly,  we  propose  to  implement  the  TACT 
method  at  every  node  in  a  wireless  network  for  the  smart 
grid.  As  shown  in  Algorithm  1,  TACT  measures  the  de¬ 
livery  results  of  probing  messages  to  adjust  the  amount 
of  camouflage  messages  in  the  network.  Each  camou¬ 
flage  message  is  transmitted  on  a  randomly  selected 
frequency/ code  channel.  When  TACT  is  deployed,  there 
are  three  major  traffic  types  in  the  network:  i)  routine 
traffic  for  power  monitoring  and  control,  which  cannot  be 
changed  as  it  is  coupled  with  setups  of  power  devices,  ii) 
probing  traffic  for  performance  measurement,  its  message 
transmission  time  equals  to  T^,  iii)  camouflage  traffic  to 
balance  the  overall  network  traffic  load.  Eig.  6  shows 
an  example  of  traffic  dynamics  caused  by  TACT:  in  the 
first  observation  period,  two  probing  messages  are  both 
ACKed,  meaning  that  current  traffic  load  is  not  harmful. 
Then,  TACT  sends  one  more  camouflage  message  in 
the  next  observation  period.  The  traffic  load  will  keep 
being  increased  until  it  reaches  the  optimum,  and  finally 
fluctuate  around  the  optimum. 


two  probing  increase  one  more 

messages  acked  camouflage  message 

ipg  D  □  iDaCiD  □ 


.  routine 
I  message 


probing  ^  ^camouflage  time 

message  I  message 


Fig.  6.  How  TACT  balances  the  network  traffic. 


4.2  Uniform  Optimum 

When  TACT  is  deployed  at  node  k,  it  starts  to  in¬ 
crease  node  k's  traffic  load  A/c.  However,  increasing  Xk 
cannot  improve  node  k's  own  delay  performance  since 


¥{Dk  >  cr)  is  not  a  function  of  Xk  but  a  function  of 
Ik  =  transmitting  more  traffic  into  the 

network,  node  k  in  fact  improves  the  network  traffic 
loads  7i  {i  k)  observed  at  other  nodes.  At  the 
same  time,  node  k  is  expecting  others  to  do  the  same 
to  help  itself.  Thus,  the  efficiency  of  TACT  relies  on 
such  homogenous  behavior  in  all  nodes,  which  however 
cannot  be  guaranteed  when  nodes  have  evidently  het¬ 
erogenous  traffic  rates.  Consider  an  extreme  case:  there 
are  two  nodes  (nodes  1  and  2)  with  routine  traffic  rates 
of  1  and  1000  messages /s,  respectively.  The  optimal 
loads  7i  =  72  =  1000  under  a  reactive  jammer.  Initially, 
71  =  Ai  =  1000  and  72  =  Aj  =  1- 

When  TACT  starts,  node  2  is  far  from  the  optimum 
and  keeps  increasing  its  traffic  load.  In  contrast,  node  1 
immediately  reaches  the  optimum  and  never  generates 
more  traffic  to  help  node  2. 

Therefore,  in  order  to  ensure  uniform  optimum  over 
all  nodes,  a  solution  is  to  mandate  every  node  have  the 
same  minimum  traffic  load,  regardless  of  their  different 
routine  traffic  rates.  This  can  be  achieved  by  assigning 
different  minimum  camouflage  traffic  loads  Tmin  (as 
given  in  Algorithm  1)  to  different  nodes.  Specifically,  let 
node  k's  minimum  camouflage  traffic  load  I/min(^)  = 
maxi<^<^  ai  —  ak,  where  ai  denotes  the  (fixed)  routine 
traffic  load  at  node  i.  Thus,  the  minimum  overall  traffic 
load  must  be  transmitted  by  every  node  is  uniformly 
equal  to  maxi<^<^  a^.  In  the  previous  example,  we  can 
assign  Lmin  =  999  and  0  to  nodes  1  and  2,  respectively. 
Then,  both  nodes  can  have  the  optimal  traffic  load  when 
TACT  starts.  If  the  optimal  load  is  1500  messages/s, 
both  nodes  will  increase  their  camouflage  traffic  loads 
until  reaching  the  optimum.  In  the  next  section,  we  use 
experiments  to  show  the  effectiveness  of  TACT. 

4.3  TACT  in  Coordinated  and  Uncoordinated  Modes 

So  far,  we  have  presented  the  fundamentals  of  TACT 
to  minimize  the  worst-case  message  delay  under  jam¬ 
ming  attacks.  Although  we  have  shown  that  uncoor¬ 
dinated  w  communication  is  not  appropriate  for  time- 
critical  applications,  it  is  still  essential  to  establish  the 
secret  key  for  coordinated  communication.  As  a  result, 
both  communication  modes  are  indispensable  to  fully 
secure  communications  for  time-critical  applications  in 
the  smart  grid.  Specifically,  uncoordinated  mode  is  used 
for  key  establishment  and  update.  After  the  secret  key 
is  established  or  updated,  the  two  communicators  can 
use  coordinated  mode  to  exchange  information  based 
on  the  secret  key.  Hence,  to  substantially  improve  the 
performance  of  a  wireless  smart  grid  application  with 
jamming  resilience,  TACT  should  be  adapted  to  both 
coordinated  and  uncoordinated  communications.  This 
means  that  TACT  must  be  enabled  as  long  as  a  node  is 
active,  regardless  of  the  mode  on  which  it  operates.  Ac¬ 
cordingly,  we  summarize  the  complete  jamming-resilient 
communication  scheme  with  TACT  in  Algorithm  2. 

In  Algorithm  2,  all  the  keys  of  a  node  is  obtained  from 
the  gateway  via  uncoordinated  communication.  If  two 
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Algorithm  2  :  Communication  Scheme  with  TACT. 
Initialization:  Enable  TACT, 
repeat 

Mode  ^  Uncoordinated  mode. 

Obtain  key  K  and  period  Tk  from  gateway. 
Mode  ^  Coordinated  mode. 

Use  K  for  a  period  of  Tk- 
until  The  node  leaves  the  network. 


nodes  want  to  communicate  with  each  other,  they  also 
need  to  request  the  key  for  such  communication  from  the 
gateway.  Hence,  the  gateway  can  be  considered  as  a  key 
management  center  in  the  network.  It  is  worthy  of  note 
that  in  Algorithm  2,  every  node  operates  on  either  unco¬ 
ordinated  or  coordinated  mode.  The  gateway,  however, 
is  required  to  operate  on  both  modes  simultaneously. 
Unlike  lEDs  that  are  embedded  computers  on  power 
infrastructures,  the  gateway  is  usually  a  computer  server 
equipped  with  powerful  computing  and  communication 
abilities  [5];  thus,  it  is  reasonable  to  assume  that  the 
gateway  is  capable  of  operating  on  both  modes. 

4.4  Discussion  on  Improving  TACT 

In  Algorithm  2,  we  can  see  that  when  an  lED  joins 
the  network,  it  starts  to  adaptively  transmit  camouflage 
traffic  until  it  observes  performance  degradation  at  a 
certain  load,  then  remains  approximately  at  the  load. 
This  inevitably  leads  to  a  fair  amount  of  redundant  traffic 
and  a  waste  of  energy  used  to  transmit  such  traffic  even 
when  there  is  no  attack.  Although  we  know  that  in  this 
case,  the  delay  is  still  upper  bounded  by  the  guaranteed 
performance  given  in  Theorem  1,  it  is  quite  desirable  to 
avoid  such  traffic  in  normal  system  operations.  To  this 
end,  we  can  deploy  a  reactive  jamming  detector  [26] 
in  each  lED,  TACT  is  triggered  and  starts  to  transmit 
camouflage  traffic  only  when  an  attack  is  detected. 

It  is  worth  noting  that  the  distributed  nature  of  TACT 
requires  the  minimum  node  coordination,  in  which  each 
node  sends  camouflage  traffic  on  randomly  selected 
channels.  Such  traffic  may  collide  with  legitimate  one; 
thus,  node  coordination  may  further  improve  the  ef¬ 
ficiency  of  TACT,  which  can  be  achieved  by  letting 
the  gateway  node  assign  carefully-designed  transmission 
patterns  for  camouflage  traffic  at  each  node. 

5  Smart  Grid  Anti-Islanding:  Secure 
Key  Establishment  and  Communication 

We  have  found  that  there  exists  an  optimal  traffic  load 
to  minimize  the  worst-case  message  delay,  and  carefully 
designed  the  distributed  TACT  method  to  achieve  the 
optimal  load.  In  this  section,  we  aim  at  implementing  a 
practical  TACT  based  system  to  optimize  the  delay  per¬ 
formance  of  an  important  smart  grid  application,  anti¬ 
islanding,  under  jamming  attacks  in  our  experimental 
micro  smart  grid.  Green  Hub. 


5.1  Anti-Islanding  for  A  Micro  Smart  Grid 

Our  goal  is  to  use  real-world  experiments  to  show  the  ef¬ 
fectiveness  of  TACT  to  improve  the  delay  performance  of 
a  wireless  application  in  the  smart  grid  under  jamming 
attacks.  In  the  following,  we  first  introduce  the  smart 
grid  system  used  in  the  experiments.  North  Carolina 
State  University  has  established  a  micro  smart  grid. 
Green  Hub,  to  test  key  smart  grid  components,  such  as 
solid-state  transformer  (SST),  wireless  networking,  and 
dynamic  spectrum  access  [27]  for  the  smart  grid.  Green 
Hub  includes  two  solar-array  based  photovoltaic  (PV) 
systems  as  distributed  energy  resources. 

An  important  protection  procedure  for  distributed 
energy  resources  is  anti-islanding.  In  power  engineering, 
islanding  [28]  refers  to  the  condition  in  which  distributed 
energy  resources  continue  power  supply  even  though 
the  electric  utility  is  disconnected.  Unintentional  island¬ 
ing  can  cause  many  problems,  such  as  damaging  cus¬ 
tomers'  loads  and  harming  distributed  energy  resources 
[28].  Thus,  anti-islanding  procedures  must  be  deployed 
in  power  systems  to  prevent  any  unintentional  islanding. 


Fig.  7.  Anti-islanding  procedure  in  Green  Hub. 

Eig.  7  shows  an  anti-island  procedure  in  Green  Hub: 
when  the  utility  supply  is  disconnected,  the  SST  detects 
the  islanding  and  sends  an  anti-islanding  message  to  the 
PV  system  to  make  the  system  stop  generating  power. 
The  delay  threshold  of  such  a  message  is  150-300ms  [3]. 

5.2  System  Setups 

Network  setup:  There  have  been  several  wireless  testing 
networks  for  anti-islanding  in  the  power  engineering 
community  [3],  [28].  In  this  work,  we  use  universal 
software  radio  peripheral  (USRP)  devices  with  GNU 
Radio  to  set  up  a  frequency-hopping  based  wireless  net¬ 
work  to  provide  jamming  resilience  for  the  anti-islanding 
application.  Green  Hub  has  two  PV-SST  pairs  for  anti¬ 
islanding  protection.  Each  device  is  connected  to  an  lED 
for  communication.  Thus,  the  network  consists  of  four 
lEDs  and  a  gateway  for  centralized  management.  Each 
lED's  routine  traffic  is  one  message  of  status  update  to 
the  gateway  every  second.  Both  lEDs  and  the  gateways 
use  USRPs  to  communicate  with  each  other. 

Spread  spectrum  systems:  The  network  uses  eight  fre¬ 
quency  hopping  channels  at  the  2.4GHz  band,  each 
of  which  uses  BPSK  modulation  and  has  a  bandwidth 
of  125KHz,  resulting  in  a  total  network  bandwidth 
of  IMHz.  The  length  of  an  anti-islanding  message  is 
400  bytes,  thereby  leading  to  a  transmission  time  of 
(400'^8)/125=25.6ms.  The  delay  threshold  is  set  to  be 
150ms.  The  application  layer  at  each  lED  transmits 
one  message  4  times.  Thus,  the  secret  key  shared  by 
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each  transmit-receive  pair  is  a  frequency-hopping  pat¬ 
tern  with  4  hops.  For  TACT,  the  lengths  of  probing 
and  camouflage  messages  are  set  to  be  400  and  1000 
bytes,  respectively.  Note  that  we  choose  long  camouflage 
messages  to  increase  the  chance  that  a  reactive  jammer 
senses  and  jams  such  messages. 

Jamming  attacks:  We  also  set  up  a  USRP-based  jammer 
with  operational  bandwidth  of  125KHz.  When  it  is  non¬ 
reactive,  it  keeps  broadcasting  jamming  pulses,  each  of 
which  is  sent  on  a  randomly  selected  channel.  When 
it  is  reactive,  it  uses  an  energy  detector  to  scan  all  8 
hopping  channels  one  by  one,  and  jams  any  on-going 
transmission  as  long  as  it  senses  energy  activity.  The 
jamming  pulse  duration  is  set  to  be  1ms. 


gateway 


jammer  pY2 


Fig.  8.  Attack  scenario  in  the  anti-islanding  network. 

Attack  scenario:  The  attack  scenario  is  illustrated  in 
Fig.  8:  all  lEDs  (SSTl,  PVl,  SST2,  and  PV2)  inform  the 
gateway  of  their  status  every  second.  If  SSTl  or  SST2 
detects  an  islanding,  it  will  send  to  its  counterpart  an 
anti-islanding  message.  The  jammer  targets  SST2  and 
attempts  to  disrupt  SST2's  messages  to  PV2. 


5.3  Experimental  Results 

When  the  network  is  set  up,  all  lEDs  first  communicate 
uncoordinatedly  with  the  gateway  to  obtain  their  secret 
keys  of  channel  assignments,  then  use  the  keys  to  com¬ 
municate  in  a  coordinated  manner.  As  a  result,  we  first 
consider  the  uncoordinated  case;  i.e.,  we  first  evaluate 
how  TACT  can  improve  the  delay  performance  of  key 
establishment,  and  then  move  on  to  the  coordinated  case. 

5. 3. 1  Key  Establishment 

We  consider  key  establishment  based  on  uncoordinated 
communication:  every  node  keeps  sending  key  requests 
to  the  gateway  on  uniformly  selected  frequency  chan¬ 
nels.  At  the  same  time,  the  gateway  uniformly  chooses 
a  frequency  channel  to  receive.  A  message  is  delivered 
only  when  a  node  and  the  gateway  reside  on  the  same 
channel.  We  define  the  delay  of  the  key  establishment 
for  a  node  is  the  time  duration  from  the  instant  that  the 
node  sends  the  first  key  request  to  the  instant  that  the 
node  receives  the  reply  from  the  gateway. 

Fig.  9  illustrates  the  mean  delay  of  key  establishment 
as  a  function  of  the  network  traffic  load  under  both  non¬ 
reactive  jamming  and  reactive  jamming.  We  can  observe 
from  Fig.  9  that  reactive  jamming  always  induces  larger 
key  establishment  delay  than  non-reactive  jamming  for 
uncoordinate  communication,  which  indicates  that  we 
should  always  consider  the  reactive  jamming  as  the 
worst-case  scenario  for  uncoordinate  communication. 


Note  that  Fig.  9  exhibits  a  U-shaped  curve  for  the  de¬ 
lay  performance  under  reactive  jamming,  showing  that 
under  reactive  jamming,  there  always  exists  a  traffic  load 
to  minimize  the  average  key  establishment  delay.  As  a 
result,  TACT  that  is  primarily  designed  to  counter-attack 
reactive  jamming  by  achieving  the  optimal  traffic  load, 
should  be  useful  to  substantially  decrease  the  key  estab¬ 
lishment  delay  in  the  wireless  anti-islanding  scenario. 

TABLE  1 

Average  delay  in  uncoordinated  communication. 


Setups: 

TACT  off 

TACT  on 

Baseline 

Delay  : 

24.2  s 

5.61  s 

0.814  s 

Next,  we  enable  TACT  at  every  node  and  evaluate  the 
effectiveness  of  TACT  on  uncoordinated  communication 
under  reactive  jamming.  During  experiments,  we  set  the 
following  TACT  parameters:  l/min=0,  I/max=30,  Ainc=2, 
Adec=2,  and  ten  probing  messages  are  sent  every  second. 
Table  1  illustrates  the  average  key  establishment  delay 
under  three  scenarios:  i)  frequency  hopping  under  reac¬ 
tive  jamming  (TACT  is  off),  ii)  frequency  hopping  with 
camouflage  traffic  (TACT  is  on),  iii)  baseline  performance 
(no  jamming,  no  TACT).  It  is  observed  from  Table  1 
that  uncoordinated  communication  based  key  establish¬ 
ment  incurs  fairly  large  delay  even  for  the  baseline  (no¬ 
jamming  case)  performance  that  have  the  average  delay 
of  814ms.  This  is  due  to  the  opportunistic  nature  of 
uncoordinated  communication.  Under  reactive  jamming, 
we  can  see  that  the  key  establishment  delay  increases 
to  24.2s.  However,  when  TACT  is  enabled,  the  delay 
decreases  dramatically  to  5.61s,  as  shown  in  Table  1. 
Therefore,  TACT  is  very  effective  to  improve  the  delay 
performance  for  key  establishment  in  the  smart  grid. 

5. 3.2  Jamming-Resilient  Communication 

Next,  we  consider  the  coordinated  mode  after  the  key 
is  established.  We  evaluate  the  impact  of  both  reactive 
and  non-reactive  jammers  on  the  anti-island  application. 
We  generate  camouflage  messages  at  rates  of  0-30  mes¬ 
sages/s.  Fig.  10  shows  that  the  message  invalidation 
probability  as  a  function  of  the  camouflage  traffic  rate  of 
each  lED.  We  can  see  from  Eig.  10  that  reactive  jamming 
always  leads  to  worse  performance  than  non-reactive 
jamming,  indicating  that  reactive  jamming  should  be 
considered  as  the  worst-case  scenario.  Thus,  in  the  fol¬ 
lowing,  we  will  only  consider  reactive  jamming.  Eig.  10 
also  shows  that  the  message  invalidation  probability 
induced  by  reactive  jamming  is  a  U-shaped  function  of 
the  traffic  load.  We  can  see  that  the  message  invalidation 
probability  decreases  from  41.2%  to  0.82%  as  the  camou¬ 
flage  traffic  load  goes  from  0  to  15  messages/ s. 

Then,  we  consider  the  delay  performance  with  dif¬ 
ferent  delay  thresholds  of  150,  190,  and  230ms  under 
reactive  jamming.  If  the  delay  threshold  becomes  larger, 
we  can  transmit  the  same  message  more  times  to  ensure 
more  reliability.  Thus,  the  transmissions  have  5,  6,  and 
7  hops  (transmission  attempts)  for  messages  with  delay 
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Fig.  9.  Uncoordinated:  Average  key 
establishment  delay  versus  per-node 
network  traffic  load. 


Fig.  10.  Coordinated:  Message  inval¬ 
idation  probability  versus  traffic  load. 


Fig.  1 1 .  Coordinated:  Message  inval¬ 
idation  probability  with  different  delay 
thresholds. 


thresholds  of  150,  190,  and  230ms,  respectively.  Fig.  11 
shows  that  the  message  invalidation  probabilities  for 
different  delay  thresholds.  In  addition,  we  also  compare 
the  worst-case  bounds  in  Theorem  2  with  the  experi¬ 
mental  results,  as  shown  in  Fig.  11.  Although  we  can 
see  that  that  there  exists  a  small  and  non-uniform  gap 
between  the  worst-case  bound  and  the  experimental 
measurement  for  each  delay  threshold,  the  performance 
trends  shown  by  the  experimental  results  do  match 
the  theoretical  predication  and  the  U-shape  phenomena, 
which  indicates  that  the  worst-case  bound  in  Theorem  2 
is  tight  to  predict  realistic  jamming  impacts. 

TABLE  2 

Message  invalidation  in  coordinated  communication. 


Setups: 

TACT  off 

TACT  on 

Baseline 

Delay  : 

41.2% 

0.9076% 

0.0532% 

Next,  we  evaluate  the  effectiveness  of  TACT  against 
reactive  jamming  in  coordinated  communication.  We  use 
the  same  setups  in  Table  1.  Table  2  illustrates  message 
invalidation  probabilities  in  three  scenarios:  i)  frequency 
hopping  under  reactive  jamming  (TACT  is  off),  ii)  fre¬ 
quency  hopping  with  camouflage  traffic  (TACT  is  on), 
iii)  baseline  performance  (no  jamming,  no  TACT).  It  is 
observed  from  Table  2  that  TACT  decreases  the  mes¬ 
sage  invalidation  probability  from  41.2%  to  0.9076%. 
Although  TACT  does  not  achieve  the  minimum  prob¬ 
ability  of  0.82%  shown  in  Fig.  10,  it  still  improves  the 
delay  performance  in  order  of  magnitude  under  reactive 
jamming.  Note  that  the  baseline  performance  in  Table  2 
shows  a  positive  message  invalidation  probability.  This 
is  because  error  correction  is  not  used  in  our  experiments 
in  order  to  reduce  the  GNU  Radio  processing  delay. 


TABLE  3 

Message  invalidation  vs  number  of  hopping  channels. 


Number  of  Channels  (Nf): 

6 

8 

10 

12 

TACT  off: 

92.3% 

68.1% 

41.2% 

10.1% 

TACT  on: 

15.1% 

6.01% 

0.831% 

0.212% 

Table  3  shows  the  message  invalidation  probability  as 
a  function  of  the  number  of  frequency-hopping  channels 


Nf  under  reactive  jamming.  It  is  known  that  increasing 
Nf  can  reduce  the  message  delay  for  spread  spectrum 
communication,  as  more  spectrum  resources  are  used. 
Table  3  illustrates  that  when  Nf  goes  from  6  to  12, 
the  message  invalidation  probability  in  the  frequency¬ 
hopping-only  (no  TACT)  scenario  decreases  from  92.3% 
to  10.1%;  while  TACT  can  further  reduce  the  probability 
from  10.1%  to  0.21%.  As  a  result,  TACT  is  a  promising 
mechanism  that  offers  a  new  dimension  to  improve  the 
delay  performance  for  smart  grid  communication. 

5.4  Discussions 

In  our  experiments,  both  lEDs  and  jammer  have  low 
operational  bandwidth  of  125KHz,  which  is  due  to  the 
limit  processing  capability  of  the  USRP-to-PC  architec¬ 
ture.  Thus,  our  goal  is  not  to  design  a  commercial  anti¬ 
islanding  system,  but  to  demonstrate  a  proof-of-concept 
application  of  TACT  in  the  smart  grid. 

We  observed  that  TACT  achieved  nearly-optimal  per¬ 
formance.  It  is  challenging  to  design  an  adaptive  method 
that  always  works  at  the  optimal  load.  However,  the 
concept  of  transmitting  camouflage  traffic  can  lead  to 
more  TACT-like  methods  to  further  improve  the  delay 
performance  for  wireless  smart  grid  applications. 

Currently,  both  legitimate  and  camouflage  traffic  is 
blind  to  all  legitimate  receivers  and  attackers,  which  is 
the  simplest  setup  for  the  attackers  to  have  no  ability  to 
identity  legitimate  traffic  from  camouflage  traffic,  which 
on  the  other  hand  causes  collisions  between  legitimate 
and  camouflage  traffic  transmissions.  We  will  explore 
smart  ways  to  avoid  such  collisions  in  the  future  work. 

We  also  emphasize  that  our  methodology  in  this  paper 
is  to  optimize  the  worst-case  performance  to  offer  perfor¬ 
mance  guarantee  for  smart  grid  applications.  Therefore, 
our  worst-case  optimization  does  not  necessarily  means 
a  uniformly  optimal  solution  to  all  cases.  This  indicates 
that  when  a  jammer  constantly  changes  its  jamming  be¬ 
havior,  our  countermeasure  may  not  keep  providing  op¬ 
timal  solutions  against  each  behavior.  However,  despite 
the  jammer's  varying  strategies,  its  induced  performance 
is  always  bounded  by  the  worst  case.  Therefore,  as  long 
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as  we  design  our  countermeasures  based  on  the  worst 
case,  we  can  always  provide  performance  guarantee 
under  any  attack  behavior,  which  is  our  goal  and  also 
essential  for  smart  grid  applications. 

6  Conclusion 

In  this  paper,  we  provided  a  comprehensive  study  on 
minimizing  the  message  delay  for  smart  grid  applica¬ 
tions  under  jamming  attacks.  By  defining  a  generic  jam¬ 
ming  process,  we  showed  that  the  worst-case  message 
delay  is  a  U-shaped  function  of  network  traffic  load. 
We  designed  a  distributed  method,  TACT,  to  generate 
camouflage  traffic  to  balance  the  network  load  at  the 
optimal  point.  We  showed  that  TACT  is  a  promising 
method  to  significantly  improve  the  delay  performance 
in  the  smart  grid  under  jamming  attacks. 
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